Cloud Hosting

The ESMA guidelines also set out a list of contractual requirements to be included in contracts with cloud suppliers. This list likewise differentiates between arrangements for critical and important functions and those for non-critical and important functions.

While the EBA's guidelines make clear that institutions must insist that cloud providers ensure that sub-outsourcer's grant the "same contractual rights of access and audit as those granted by the service provider", this obligation is not explicitly set out by ESMA. However, cloud providers must ensure that the contractual rights ensure that all contractual obligations between the cloud provider and the regulated entity "are continuously met".

Specific differences between the EBA's guidelines and those developed by ESMA on information security, auditing rights, data locations and exit exist too.

Guideline 4 requires information security requirements to be included within the cloud outsourcing written agreements. For critical and important functions, on a risk-based approach, a list of requirements is to be complied with.

While the nature of what is set out in this list is broadly similar to those specified by the EBA and EIOPA, the detail is different.

Unique to the ESMA draft guidelines are explicit requirements to:

It is not clear why ESMA has called out some information security measures which are not explicitly referred to in the EBA's outsourcing guidelines, but not others set out in the EBA's sister guidelines on ICT and security risk management.

Regulated entities are also asked to "consider" various matters in relation to encryption and key management, tenant isolation in shared environments, operations and network security and application programming interfaces. The detail provided in the ESMA guidelines in relation to these areas does not replicate what is outlined in the EBA and EIOPA guidelines.

Guideline 4 also requires that regulated entities ensure that the cloud service provider "complies with internationally recognised information security standards". This is slightly different to the EBA's outsourcing guidelines which require regulated entities to "ensure that service providers, where relevant, comply with appropriate IT security standards". Background information issued alongside the EBA's guidelines does, however, explain that regulated entities "must ensure that they meet internationally accepted information security standards and this also applies to outsourced IT infrastructures and services".

ESMA's guidelines make a number of references to the need for firms to know and document the locations where their data will be stored and processed in the cloud. However, some provisions refer to the need to specify where the 'countries' data is located, while others make reference to 'countries and regions'.

Regulated entities are to set out "the location(s) (namely countries) where relevant data will be stored and processed (location of data centres)", as information kept in the cloud register and shared with the regulator prior to entering into a written agreement, and within written agreements for outsourcings which relate to critical or important functions. Separately, as part of its overall approach to risk management of critical and important functions, regulated entities are to "adopt a risk-based approach to data storage and data processing location(s) (namely country or region).

During the consultation period there will be opportunity to clarify whether ESMA intends regulated entities to keep track of the individual countries within regions, such as the EU or EEA, where data is stored, or whether this is an unintentional oversight in the text. Clarity on this point is important some cloud providers may not want to reveal the specific country data is stored in.

The ESMA guidelines are broadly in line with the EBA's guidelines in respect of the provision institutions must make for exiting from cloud outsourcing arrangements. However, there are some technical differences in the language used.

Exit plans need to be updated if an outsourced function changes. The written outsourcing agreement also needs to set out "an obligation for the CSP to orderly transfer the outsourced function and all the related data from the CSP and any sub-outsourcer to another CSP indicated by the firm or directly to the firm in case the firm activates the exit strategy."

Taken literally, this requirement is broader than that set out by the EBA as the cloud provider must transfer all of the related data, not only that data which is relevant or will be useful to the regulated entity in the future.

The ESMA guidelines only address the auditing rights institutions must secure from cloud providers for themselves and regulators in the context of critical and important outsourcing arrangements. The requirements are broadly similar to those set out in the EBA's guidelines.

The rest is here:
ESMA produce cloud outsourcing guidance for investment banks and service providers - Out-Law.com